As we work to bring even more value to our audience, we’ve made important changes for those who receive Ad Age with our compliments. As of November 15, 2016 we will no longer be offering full digital access to AdAge.com. However, we will continue to send you our industry-leading print issues focused on providing you with what you need to know to succeed.

If you’d like to continue your unlimited access to AdAge.com, we invite you to become a paid subscriber. Get the news, insights and tools that help you stay on top of what’s next.

Someone's Watching

First, the good news: Negotiations are continuing between the
European Union and the United States regarding the EU's privacy
directive, after both sides missed the self-imposed deadline for a
resolution in June. The bad news? Ditto.

The EU Directive on Data Protection, adopted in 1995, took
effect last October. Under its guidelines, companies doing business
in the EU must obtain an individual's consent each time their
personal data is used for commercial purposes. Consumers must also
have easy access to all of the data held on them. The directive
allows transfers of personal data to non-EU countries only if they
can provide an "adequate" level of privacy protection. In effect,
the directive blocks the flow of European consumers' information
from Europe to the United States, which currently has no federal
privacy legislation that meets the EU's standards.

Under a proposed "safe harbor" arrangement, however, individual
U.S. companies that provide adequate data protection would be
allowed access to personal data from EU member states. The safe
harbor principles set guidelines regarding consumer notice, choice,
and access; onward transfer of information; security; data
integrity and enforcement. Compliance, though, will mean
significantly higher costs for American companies, warns Douglas
Sacks, senior vice president of Infocore, Inc., a Wethersfield,
Connecticut-based international list brokerage and marketing
consultancy. "How will you contact each customer? If you call them,
you have to pay for that; if you send them a letter, you have to
pay postage," he says.

Those close to the privacy issue expected some action to be
taken by the time the June summit was held in Bonn between the
European Commission and the U.S. Department of Commerce. But
although substantial progress was made, the summit ended without a
handshake. The missed deadline means more waiting and hoping that
an agreement will be reached this fall, as promised in a joint
report presented at the meeting.

Sticking points still remain. In particular, EU member states
are reluctant to allow the European Commission to review their
findings regarding whether a U.S. company is in compliance, noted
David L. Aaron, Undersecretary of Commerce for International Trade,
in a speech presented at the summit. Implementation is another
issue: The EU would like U.S. companies to adopt the safe harbor
principles within six months. The U.S. prefers a longer transition,
says Aaron - at least two years, in light of Y2K and industry
consolidation problems, as well as the fact that fewer than half of
EU member states have implemented the directive so far.

What to do while you watch and wait? Many larger, multinational
companies, Infocore's Sacks says, have taken the initiative and met
with privacy commissioners in individual countries to work out
separate trans-border contracts, keeping open the critical flow of
data. Others, such as The McGraw-Hill Companies, are waiting it
out. "It's our understanding that once the safe harbor agreement is
reached, we'll have time to make a choice - whether to apply
through the safe harbor or do our own contracts," says Lisa Pavlok,
director of Washington affairs for McGraw-Hill.

But most EU member states have had data protection laws in place
for several years, points out Bill Whitehurst, director of data
security and privacy programs for IBM. The directive simply
harmonizes existing laws. IBM has been working with authorities in
individual countries to comply with local laws for some time, he
says.

The directive's implementation ma1y have other implications:
Some countries outside the EU are considering using the privacy
legislation as a model for their own, Sacks says.